-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A thoughtful essay by Jon Callas on the trials and tribulations of being a crypto start-up company. Before I get into commenting on parts of Jon's message, let me first make some very general points. First, I don't think PGP, Inc. is being picked on. It announced a new product this month, one with obvious implications and resonances for and with the whole key recovery/key escrow/GAK debate. Second, for us not to pick it apart would be "out of character" (considering past critical remarks directed toward Netscape (ask the Weinstein brothers), toward Microsoft (ask the MS employees who mostly post from non-MS accounts), toward Cybercash, toward First Virtual, toward RSADSI, and on and on. (And the Cypherpunks list was not even in the lead in picking on PGP for Business, as the comments by Bruce Schneier, Simson Garfinkel, etc. show.) Third, several of us have reititerated the basic point that *of course* an employer or corporation owner has every right to insist that his employees use a particular product, submit to searches of their breifcases, have their phone calls monitored, wear funny costumes, and so on. Only a couple of people have even hinted that the issue is some kind of "workers rights" thing. Fourth, though employers may wish to insist on this kind of message recovery, there are obvious dangers. Not the least of which is that the voluntary aspects may cease to be voluntary (in terms of the government mandating archival of all corporation messages, analogous to requirements for audit trails, OSHA compliance, receipts, cash register records, etc.). Fifth, it thus behooves us to think about these issues. That there will be issues to consider, and public debate, is shown by the comments here and the comments from Schneier, Garfinkel, etc. And even Phil Zimmermann, when discussing a very similar product from ViaCrypt, basically said (paraphrasing from memory): "Call it what you like, but it violates the spirit of PGP, so don't call it PGP." Amen to that. (Personally, I'll be real disappointed if Chairman Phil sends us a Zimmermann Telegram (TM) telling us that the ViaCrypt and PGP products are actually not all alike. "Pay no attention to the man behind the curtain.") Sixth, besides all of these issues, there are interesting questions about whether this form of "encrypting to a corporate key" is very useful or addresses the right problem. (I happen to believe that the "what if Joe is hit by a truck?" issue is better solved with other tools, and the "what if Joe is sending corporate secrets outside the company?" issue is not at all addresses with PGP for Business (as Joe will either stego encrypt, or, even better, will just carry out gigabytes in a CD or DAT and use a non-company account). Anyway, I guess I don't need to comment paragraph by paragraph on Jon's points. I'm happy that he's commenting here on the list. - --Tim May The Feds have shown their hand: they want a ban on domestic cryptography - ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBND78j1K3AvrfAt9qEQL4pgCfQqH86oZ8phNCo45ZNFRj2AX8ogYAoLjG 0d/WpUBVhv4NXPsfo/dbsa59 =88Cn -----END PGP SIGNATURE-----